(alexschapiro.com)

560 points bearsyankees | 1 comments | 12 May 25 16:39 UTC | HN request time: 0.306s | source

Show context

blantonl ◴[12 May 25 17:26 UTC] No.43965416[source]▶

>>43964937 (OP) #

Returning the OTP in the request API response is wild. Like why?

replies(6): >>43965452 #>>43965527 #>>43965664 #>>43965678 #>>43965989 #>>43967689 #

mooreds ◴[12 May 25 17:29 UTC] No.43965452[source]▶

>>43965416 #

I too am bewildered.

Maybe to make it easier to build the form accepting the OTP? Oversight?

I can't think of any other reasons.

replies(3): >>43965701 #>>43965737 #>>43966261 #

1. ksala_ ◴[12 May 25 17:52 UTC] No.43965737[source]▶

>>43965452 #

My best guess would be some form of testing before they added sending the "sending a message" part to the API. Build the OTP logic, the scaffolding... and add a way to make sure it returns what you expect. But yes absolutely wild.

↑

I hacked a dating app (and how not to treat a security researcher)